CVE-2017-5990
PhreeBooksERP (pre-2017-02-13) both ShippingMethods/ups/label_mgr/js_include.php and ShippingMethods/yrc/label_mgr/js_include.php suffer from insufficient filtration of user-supplied data in the form GET parameter. This allows an attacker to trigger arbitrary HTML/JavaScript in a victim’s browser...